[Pkg-utopia-maintainers] Bug#865413: flatpak: Flatpak security issue #845 involving setuid/world-writable files

Simon McVittie smcv at debian.org
Wed Jun 21 08:46:21 UTC 2017 

Package: flatpak
Version: 0.8.5-2
Severity: critical
Tags: security fixed-upstream
Forwarded: https://github.com/flatpak/flatpak/issues/845
Justification: potentially (in worst case) root security hole

The Flatpak developers recently released version 0.8.7 fixing a security
issue. A third-party app repository could include malicious apps that
contain files with inappropriate permissions, for example setuid or
world-writable. Older Flatpak versions would deploy the files with those
permissions, which would let a local attacker run the setuid executable
or write to the world-writable location.

In the case of the "system helper", files deployed as part of the app
are owned by root, so in the worst case they could be setuid root.

Mitigations:
* If you are running apps from a third party already, then there is
  already a trust relationship (the app is sandboxed, but the sandbox
  is not very strict in practice, and the third-party vendor chooses
  what permissions the app will have)
* The default polkit policies will not allow apps to be installed
  system-wide unless a privileged (root-equivalent) user has added
  the third-party app repository, which indicates that the privileged
  user trusts the operator of that repository
* The attacker exploiting the wrong permissions needs to be local

It seems that upstream consider this to be a minor security issue due
to those mitigations.

For the buster and sid suites, this will be fixed in 0.8.7-1 shortly.

For the experimental suite, this will be fixed in 0.9.6-1. That will
take a bit longer because it needs a newer version of libostree.

Security team: do you want a backport/DSA for stretch-security, or do
you consider the mitigations to be sufficient to fix this through
a stable update instead? I am hoping to get 0.8.7 into stretch r1 as a
stable update, but 0.8.6 contains unrelated bug fixes that I realise
you won't necessarily want in stretch-security (proposed-update tracked
at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864028>).

For a stretch-security backport with just this fix, I could optionally
also include these security-hardening-related commits from 0.8.6:
https://github.com/flatpak/flatpak/commit/6265200c83f23acceb3c9b192ebc1ffa9db140de
https://github.com/flatpak/flatpak/commit/414d699621664913dadebcf5db39732b99268c37
Please let me know whether you would prefer those included or excluded.

    S

More information about the Pkg-utopia-maintainers mailing list